Back about two years ago I was working on a product line that took a number of potentially objectionable actions with customers’ systems. I pushed back against the product teams, saying that these actions put our products at risk of being perceived as malware.

They in turn pushed back on me, essentially telling me to prove my allegations.

So I went away for a few days, did some research, and returned with my (fanfare) Malware Perception Risk Assessment Tool. Ta-da!

Uh, sorry, I meant “thud”. It went over like a lead ballon. No takers. So I wrote it up in an article at UXmatters, hoping it’d become adopted. More deafening silence. Dejection.

But here’s the thing: systems are becoming more and more interconnected, and more than ever, applications are utilizing aspects of your personal, semi-public, and public data to derive value (presumably for you as well as themselves). Thus the risk of an application being perceived as malware has only increased.

I strongly believe that our field needs to provide the wider world with a tool that can help assess the risk that a particular product or service might be tagged as malware in the minds of users or the market at large.

So I again submit to the UX, dev, and product management communities the Malware Risk Assessment Checklist.

To measure the probability of people perceiving a product as malware, I created a checklist representing a set of attributes that typically characterize malware. I grouped these attributes into these five categories, each containing two or more representative attributes:

• personal information gathering and usage
• modification of data or system configuration
• stealth and resistance to removal or modification
• resource utilization
• transparency and disclosure of third-party relationships

This time, I’m explicitly calling out the fact that the checklist is light on data propagation via social networking applications. And I’m asking for help in rounding out that aspect of the checklist. So help a guy out and suggest some social media items. I am releasing this checklist under a “Creative Commons non-commercial share alike-derivative works permitted” license, so you can remix this, add to it, etc. When I receive some good item suggestions, I’ll re-roll the list and publish again.

Here’s the checklist as it stood in 2008. Peeps, have at it.

Personal Information Gathering and Usage
The product or Web site…
Gathers and transmits users’ personal data or information about users’ behavior to the organization providing the product
____Yes
____No
Gathers and transmits users’ personal data or information about users’ behavior to a third party.
____Yes
____No
Uses personal data and data the product developer obtained from third parties to assemble profiles of users that are more complete and comprehensive than users expect.
____Yes
____No
Exposes more of users’ personal information to their contacts or a community than users expected or wanted.
____Yes
____No
Does any of the above without user notification and consent.
____Yes
____No
Does any of the above and does not allow users to opt out.
____Yes
____No

Modification of Data or System Configuration
The product or Web site…
Overwrites, modifies, or destroys users’ data without their knowledge or consent.
____Yes
____No
Modifies other applications on users’ computers or their operating system settings or computing environment.
____Yes
____No
Fails to restore modifications to other applications, operating system settings, or the computing environment when the user uninstalls the product.
____Yes
____No
Damages or renders inoperative other software or hardware on users’ computing systems.
____Yes
____No

Stealth and Resistance to Removal or Modification
The product or Web site…
Hides or renders its files and resources inaccessible to the user through normal means—that is, using standard file managers and viewers.
____Yes
____No
Resists attempts at removal.
____Yes
____No
Modifies antivirus, antispyware, and other computing hygiene applications or application settings, to make itself appear harmless or less harmful than it actually is.
____Yes
____No

Resource Utilization
The product or Web site…
Overuses computing resources—CPU, GPU, memory, and so on—to a noticeable extent.
____Yes
____No
Utilizes computing resources for purposes not directly related to the tasks users typically perform with the software.
____Yes
____No

Transparency and Disclosure of Third-Party Relationships
The product or Web site…
Installs third-party applications that demonstrate any of the above behaviors.
____Yes
____No
Installs third-party applications without user notification and consent.
____Yes
____No

C’mon people, let’s make this checklist useful, and maybe even a de facto standard.

Click to view full size
Originally uploaded by Matthew Oliphant

Just saw this via Matthew Oliphant’s Flickr collection. I have two unrelated observations to share with the Twitterverse / blogosphere / interwebz:

1. Hey, at least they’re sayin’ so.

2. “Chromed Bird” makes me think of Maltese Falcon.

Look, no one said I had to be 100% on-point and all UX-smart for every post.